Back to overview

CVE-2026-48815

HIGH Exploitation: PoC
7.5
CVSS 3.1
Description
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.

Metadata

CVE ID
CVE-2026-48815
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-22 20:57 UTC
Published
2026-07-14 20:27 UTC
Last updated
2026-07-15 12:56 UTC
Primary CWE
CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product
sigstore / sigstore-js
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
sigstore sigstore-js < 4.1.1
Weakness (CWE)
CWESourceDescription
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References (4)
Back to overview